Envelope-from vs header-from: the two sender addresses (and why DMARC cares)

Two different From addresses

Every email carries two separate sender identities, set at two different layers:

• The envelope-from (its technical name is RFC5321.MailFrom, also called the return-path or bounce address). Your sending server sets it with the SMTP MAIL FROM command. It is where bounces and delivery failures go, and at delivery it is written into the message as the Return-Path: header. Your recipient does not normally see it.
• The header-from (RFC5322.From) is the From: line inside the message. It is what the mail client shows as the sender and what a human reads. It is also, for exactly that reason, the address attackers most want to forge.

These two can be, and for third-party senders almost always are, different domains.

Which check looks at which address

This is the crux, and it surprises people:

• SPF checks the envelope-from (the RFC5321.MailFrom), plus the HELO name. It never looks at the From: you see (RFC 7208).
• DKIM does not check either address directly. It signs with a domain in the d= tag of the signature, which is independent of both (RFC 6376).
• DMARC checks the header-from (RFC5322.From) and ties everything together: it requires the visible From: domain to align with an identity that authenticated, either the SPF envelope domain or the DKIM d= domain (RFC 7489).

So SPF can pass while DMARC fails, because SPF passed for the envelope domain, which is not the visible domain.

What alignment means

DMARC does not just want SPF or DKIM to pass. It wants the passing identity to match your From: domain. There are two modes:

• Relaxed (the default): the two only need to share an organizational domain, so mail.example.com aligns with example.com.
• Strict: the domains must match exactly.

You set the mode per mechanism with aspf (for SPF) and adkim (for DKIM); both default to relaxed.

Why your mail can pass SPF and still fail DMARC

This is the single most common confusion, and it comes straight from the two-address split. When you send through an ESP or SaaS tool, it usually puts its owndomain in the envelope-from (so bounces come back to it). SPF then passes for the ESP's domain, but that domain does not align with your From:domain, so DMARC's SPF side fails.

The fix is almost always aligned DKIM: have the service sign with d=yourdomain.com (usually by CNAMEing its DKIM selector onto your domain). Then DKIM passes and aligns, and DMARC passes no matter what the envelope says. Aligned DKIM also survives forwarding, where SPF breaks.

The spoofing gap DMARC closes

Because SPF only ever checked the envelope, a spoofer can pass SPF on a domain they legitimately control and still put your domain in the visible From:. The recipient sees your name; SPF said nothing about it. That gap, the visible sender nobody was authenticating, is exactly what DMARC was built to close, by binding the From: you see to an authenticated, aligned identity.

How to read it in your own headers

Open any received message, view the original, and you will find all the pieces:

• Return-Path: (or smtp.mailfrom= in Authentication-Results) is the envelope-from, what SPF checked.
• header.from= in Authentication-Results is the header-from, what DMARC judged.
• header.d= is the domain DKIM signed with.

Compare them: DMARC aligns when header.from's domain matches either smtp.mailfrom's domain (the SPF path) or header.d (the DKIM path).

Frequently asked

Does SPF protect the From address I see?

No, and this is the most common misconception. SPF only checks the envelope-from (the return-path) and the HELO name, never the visible From: header. Protecting the visible From is exactly what DMARC adds on top of SPF and DKIM.

Why does my mail pass SPF but fail DMARC?

Because passing is not the same as aligning. Your sending service passed SPF for its own envelope domain, which does not match your From:domain, so DMARC's SPF side fails. Set up aligned DKIM (signed with d=yourdomain.com) and DMARC will pass.

What is the Return-Path, and is it the same as From?

The Return-Path: header is the envelope-from (where bounces go), written in at delivery. It is usually a different address from the From: you see, especially for mail sent through an ESP.

Relaxed or strict alignment, which should I use?

Relaxed (the default) is right for almost everyone: it lets subdomains of your organizational domain align, which is how most legitimate setups work. Use strict only when you deliberately want to require an exact domain match.